HP warns on dangerous applications security environment

Ross O. Storey |
May 15, 2009

Asia-Pacific enterprises behind the US and Europe in understanding the threat

Billy Hoffman, Manager, HP web security research group

SINGAPORE, 15 MAY 2009 - Major businesses in the Asia Pacific are about two years behind the US and Europe in their appreciation of the current dangerous environment relating to hacker attacks on enterprise applications, according to IT giant HP.

This is despite the trend for hackers to move towards application-based attacks, which research house Gartner says, now make up 75 per cent of security incursions across the globe. Such application-based attacks are now considered the new wave' of IT security threats.

HP says application security threats from hackers are also increasing due to the current economic downturn, which is producing growing numbers of out-of-work programmers with an axe to grind. Hacker attacks are becoming much more sophisticated and organised. Most are now stealthy, not to prove any point, but simply to make money.

Gartner estimates that some 80 per cent of all companies will have suffered through an application security threat by the middle of this year. According to the US Ponemon Institute and the Open Security Foundation, the average number of compromised records such as personal IDs and credit card numbers per data breach in the past year was 30,000. The total average cost of a data breach per compromised record was US$202, and the average total cost per breach was US$6.65 million.

Data breaches cost billions

No industry is exempt and data breaches in 2008 cost the financial services industry US$2.53 billion (12.5 million records affected), government US$5.05 billion (25 million records affected) and major retailers US$19 billion (94 million records affected).

The world's biggest software company provided the statistics and gave the warning at a four-nation (Singapore, Australia, India and the US) media teleconference this morning, using the HP Halo Telepresence system.

HP's regional marketing manager, application lifecycle managements solutions, HP software and Solutions, Peter McInnes, told the video conference from Australia that in the Asia Pacific, 24 per cent of enterprises manage security from development to the operations phase and have formal security policies and tools in place. Fifty-seven per cent still use manual methods to identify application security vulnerabilities.

The problem is that there is no clear indication about who is responsible for application security, McInnes said. A recent Economist Intelligence Unit survey found that 46 per cent of enterprise respondents said it was the security team, 36 per cent said it was the operations team, and 31 per cent said it was the development team. It's too easy to point the finger at someone else within the organisation when there's no centralised strategy.

Manager of HP web security research group, Billy Hoffman, told the video conference from the US that application security should be a subset of software quality control.